In an exclusive report, Bloomberg News outlines a month-long, systematic attack on Cola-Cola’s computer systems that may have influenced the failed $2.4 billion acquisition of a Chinese juice company.
The FBI knew about it. Coca-Cola knew about it. But shareholders were kept in the dark.
The Coke case, from 2009, shines a light on the lack of corporate disclosures of data breaches for fear they will damage stock prices. The Security and Exchange Commission says companies must report any material losses from cyber attacks; however, what constitutes a “material loss” leaves a lot to intrepretion.
Other companies included in the investigative piece include Chesapeake Energy and BG Group, which kept mum after intruders stole sensitive corporate data.
“Investors have no idea what is happening today,” Jacob Olcott, a former cyber policy adviser to the U.S. Congress, said in the news article. “Companies currently provide little information about material events that occur on their networks.”
In the Coca-Cola case, hackers believed to be part of China-based Comment used malware-infected e-mails to gain access and remotely control almost any Microsoft Windows server, work station or laptop on the world’s largest soft drink maker’s network. At the time, Coca-Cola was trying to acquire the China Huiyuan Juice Group.
“In the first two days, the hackers uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network,” according to the report based on interviews with insiders.
The deal with Huiyuan fell apart soon after, though a link to stolen data remains unclear.
Officials believe the same hacking group, Comment, was behind last year’s theft of information on natural gas leases for purchase from Chespeake Energy. The data was taken not from Chesapeake’s systems but those of a sales consultant involved in the transactions.
Additionally, hackers made off with sensitive information on drilling records belonging to British energy company BG Group.
Both companies never disclosed confidential information had been stolen.